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We explore logical reasoning for the global calculus, a coordination model based on the notion of 
choreography, with the aim to provide a methodology for specification and verification of structured 
communications. Starting with an extension of Hennessy-Milner logic, we present the global logic 
(S£5f), a modal logic describing possible interactions among participants in a choreography. We 
illustrate its use by giving examples of properties on service specifications. Finally, we show that, 
despite S£z? is undecidable, there is a significant decidable fragment which we provide with a sound 
and complete proof system for checking validity of formulae. 



1 Introduction 



Due to the continuous growth of technologies, software development is recently shifting its focus on 
communication, giving rise to various research efforts for proposing new methodologies dealing with 
higher levels of complexity. A new software paradigm, known as choreography, has emerged with 
the intent to ease programming of communication-based protocols. Intuitively, a choreography is a 
description of the global flow of execution of a system where the software architect just describes which 
and in what order interactions can take place. This idea differs from the standard approach where the 
communication primitives are given for each single entity separately. A good illustration can be seen in 
the way a soccer match is planned: the coach has an overall view of the team, and organises (a priori) 
how players will interact in each play (the role of a choreography); once in the field, each player performs 
his role by interacting with each of the members of his team by throwing/receiving passes. The way each 
player synchronise with other members of the team represents the role of an orchestration. 

The work in [4] formalises the notion of choreography in terms of a calculus, dubbed the global 
calculus, which pinpoints the basic features of the choreography paradigm. Although choreography 
provides a good abstraction of the system being designed allowing to forget about common problems 
that can arise when programming communication (e.g. races over a channel), it can still have complex 
structures hence being often error prone. Additionally, choreography can be non-flexible in early design 
stages where the architect might be interested in designing only parts of a system as well as specifying 
only parts of a protocol (e.g. initial and final interactions). In this view, we believe that a logical approach 
can allow for more modularity in designing systems e.g. providing partial specification of a system using 
the choreography paradigm. 

In order to illustrate the approach proposed in this work, let us consider an online booking scenario. 
On one side, consider an airline company AC which offers flights directly from its website. On the other 
side, there is a customer looking for the best offers. We can informally describe the interaction protocol 
in terms of a sequence of allowed interactions (as in a choreography) as follows: 
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1. Customer establishes a communication with AC; 

2. Customer asks AC for a flight proposal given a set of constraints; 

3. AC establishes a communication with partner AC serving the destination asked by the costumer; 

4. AC forwards the request made by the customer; 

5. AC sends an offer to AC; 

6. AC forwards the offer to the customer 

Note that each step above represents a communication. In the same way that a choreographical specifica- 
tion describes each of the interactions between participants, a logical characterisation of choreographies 
denotes formulae describing the evolution of such interactions. However, a logical characterisation gives 
extra flexibility to the specification of interactions: When writing a logical property describing specific 
communication patterns we focus on describing only the sequence of key interactions, leaving room for 
implementations that include extra behaviour that does not compromise the fulfilment of the property. 
For instance, in the above example, one can describe a property leaving out the details on the forward 
of the request to the airline partner, in a statement like "given an interaction between the customer and 
AC featuring a booking request, then there is an eventual response directed to the customer with an 
offer matching the original session " (in this case, the offer is not necessarily from the airline originally 
contacted but from one of its partners). 

In this document, we provide a link between choreographies and logics. Starting with an extension 
of Hennessy-Milner logic |[T0l . we provide the syntax and the semantics of a logic for the global calculus 
as well as several examples of choreographical properties. On decidability issues, we found out that 
the whole set of the logic is undecidable on the global calculus with recursion. As a result, we focus 
our studies in a decidable fragment, providing a proof system that allows for property verification of 
choreographies and show that it is sound and complete, in the sense that all and only valid formulae 
specified in the global logic can be provable in the proof system. Moreover, we can conclude that the 
proof checking algorithm using this proof system is terminating. 

Overview of the document First, in Section[2]we recall the formal foundations of the global calculus, 
and equip it with a labelled transition semantics. A logic characterisation of the calculus and several 
examples of the use of the logic are presented in Section|3] We proceed with the study of undecidability 
for the logic in Section[4j and a proof system relating the logical characterisation and the global calculus 
for a decidable fragment of the language is presented in Section [5] Finally, concluding remarks are 
presented in Section [6] 

2 The Global Calculus 

The Global Calculus (GC) [4, 5] originates from the Web Service Choreography Description Language 
(WS-CDL) fl2l . a description language for web services developed by W3C. Terms in GC describe 
choreographies as interactions between participants by means of message exchanges. The description 
of such interactions is centred on the notion of a session, in which two interacting parties first establish 
a private connection via some public channel and then interact through it, possibly interleaved with 
other sessions. More concretely, an interaction between two parties starts by the creation of a fresh 
session identifier, that later will be used as a private channel where meaningful interactions take place. 
Each session is fresh and unique, so each communication activity will be clearly separated from other 
interactions. In this section, we provide an operational semantics for GC in terms of a label transition 
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systems (LTS) |[T6l describing how global descriptions evolve, and relate to the type discipline that 
describes the structured sequence of message exchanges between participants from (51 . 



2.1 Syntax 

Let c £ ^ y . . . denote terms of the calculus, often called interactions or choreographies; A,B,C,... range 
over participants; k,k',... are linear channels; a,b,c,... shared channels; v,w, ... variables; X,Y, ... 
process variables; I, If, . . . labels for branching; and finally e,e', . . . over unspecified arithmetic and other 
first-order expressions. We write e@A to mean that the expression e is evaluated using the variable 
related to participant A in the store. 

Definition 2.1. The syntax of the global calculus jj^j is given by the following grammar: 






(inaction) 


| A-tB:a(k). If 


(init) 


| A-+B:k(e,y).V 


(com) 


| A->B:k[h : %] ieI 


(choice) 


I ^1 | ^2 


(par) 


| ife@Athen^ielse^2 


(cond) 


1 x 


(recvar) 


I nx.c 


(recursion) 



Intuitively, the term (inaction) denotes a system where no interactions take place, (initi denotes a session 
initiation by A via B's service channel a, with a fresh session channel k and continuation % '. Note that k 



is bound in c to. (comi denotes an in-session communication of the evaluation (at A's) of the expression e 
over a session channel k. In this case, y does not bind in ^ (our semantics will treat y as a variable in the 
store of B). ( choice I denotes a labelled choice over session channel k and set of labels /. In ( par ), c €\ \ 



denotes the parallel product between and ^2- (cond) denotes the standard conditional operator where 



e@A indicates that the expression e has to be evaluated in the store of participant A. In (recursion), \iX. ^ 



is the minimal fix point operation for recursion, where the variable X of (recvar) is bound in ^ . The free 
and bound session channels and term variables are defined in the usual way. The calculus is equipped 
with a standard structural congruence =, defined as the minimal congruence relation on interactions ^, 
such that = is a commutative monoid with respect to | and 0, it is closed under alpha equivalence = a of 
terms, and it is closed under the recursion unfolding, i.e., jiX.^to = ^[p.X.'tf /X]. 

Remark 2.2 (Differences with the approach in |5 |). Excluding the lack of local assignment, we argue 
that this monadic version of GC is, to some extent, as expressive as the one Global Calculus originally 
reported in [5]. In particular, note that A— >B : k(op,e,y) in [5] captures both selection and message 
passing which are instead disentangled in our case (mainly for clarity reasons). The absence of op in the 
interaction process A— >B : k(e,y) can be easily encoded with the existing operators. In fact, E iS /A— >B : 
k(opi,e,y). can be decomposed into A— >B:k[opi : '^• // ] ;e/ where = A— >B : k(e,y). c ta- (although we 
lose atomicity). 



2.2 Semantics 



We give the operational semantics in terms of configurations (a,^), where a represents the state of 
the system and ^ the choreography actually being executed. The state a contains a set of variables 
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, „ h fresh 

(G-INIT) 



init A— ¥B on a(h) 

{c,A^B:a{k).tf) > (c,tf[h/k]) 



(G-COM) »<« #A >»" 



com A— >B over k 

o,A->B:k(e,x).tf) > (o[x@B i-> v ,^f) 



(G-Choice) 



sel A— >•£ over /::/, 



(G-Par) (^)-^(o',K 



(G-Struct) — — - — - — - — - — 

{a, It) > (o',tf'") 



g( g @A)^tt (g,^)— ->( g ',jf;) 
(a, if e @A then «i else <*f 2 ) — ► (ff'X) 

(a,ife@Athen^ielse^2) — > (a',^,') 
Table 1 : Operational Semantics for the Global Calculus 



labelled by participants. As described in the previous subsection, a variable x located at participant A 
is written as x@A. The same variable name labelled with different participant names denotes different 

variables (hence a(x@A) and a(x@B) may differ). Formally, the operational semantics is defined as 

i 

a labelled transition system (LTS). A transition (cJ,"^ 7 ) > (a',^ ) says that a choreography & in a 

state a executes an action (or label) £ and evolves into with a new state a'. Actions are defined 
as £ = {init A — > B on a(&),com A — > B over &,sel A — > B over /c : /,}, denoting initiation, in-session 

communication and branch selection, respectively. We write (a, 'rf ) > (a',^') when £ irrelevant, and 

> denotes the transitive closure of >. The transition relation > is defined as the minimum 

relation on pairs state/interaction satisfying the rules in Table [T] 

Intuitively, transition (G-Init) describes the evolution of a session initiation: after A initiates a ses- 
sion with B on service channel a, A and B share the fresh channel h locally. (G-COM) describes the main 
interaction rule of the calculus: the expression e is evaluated into v in the A-portion of the state a and 
then assigned to the variable x located at B resulting in the new state a[x@B h-» v]. (G-Choice) chooses 
the evolution of a choreography resulting from a labelled choice over a session key k. (G-IfT) and (G- 
IfF) show the possible paths that a deterministic evolution of a choreography can produce. (G-Par) and 
(G-Struct) behave as the standard rules for parallel product and structural congruence, respectively. 
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Remark 2.3 (Global Parallel). Parallel composition in the global calculus differs from the notion of 
parallel found in standard concurrency models based on input/output primitives iTBl . In the latter, a 
term Pi | P2 may allow interactions between Pi and P 2 . However, in the global calculus, the parallel 
composition of two choreographies "Jfi | ^€ 2 concerns two parts of the described system where interactions 
may occur in ^\ and ^2 but never across the parallel operator | . This is because an interaction A — > 
B... abstracts from the actual end-point behaviour, i.e., how A sends and B receives. In this model, 
dependencies between two choreographies can be expressed by using variables in the state a. 

In its original presentation [5], GC comes equipped with a reduction semantics unlike the one pre- 
sented in Table [T] Our LTS semantics has the advantage of allowing to observe changes on the behaviour 
of the system, which will prove useful when relating to the logical characterisation in Section [3] We 
conjecture that our proposed LTS semantics and the reduction semantics of the global calculus originally 



presented in Q coincide (taking into account the considerations in Remark 2.2 1. 

Example 2.4 (Online Booking). We consider the example presented in the introduction, i.e., a simplified 
version of the on-line booking scenario presented in Qj). Here, the customer (Cust) establishes a session 
with the airline company (AC) using service (on-line booking, shorted as ob) and creating the session 
key k\. Once the session is established, the customer will request the company about a flight offer with 
his booking data, along the session key k\. The airline company will process the customer request and, 
after requesting another airline company (AC) for the service, will send a reply back with an offer. The 
customer will eventually accept the offer, sending back an acknowledgment to the airline company using 
k\. The following specification in the GC represents the protocol: 

^OB = Cust-)-AC:ob(iti). Cust^AC : k { (booking,*). AC->AC':ob(£ 2 ). (OB) 
AC^AC : k 2 (x,xf). AC'^AC : k 2 (offer,?). AC^Cust : h{y,y"). Cust^AC : k x (accept, z). 

2.3 Session Types for the Global Calculus 

We use a generalisation of session types [1 1J for global interactions, first presented in [5]. Session types 
in GC are used to structure sequence of message exchanges in a session. Their syntax is as follows: 

a =| (d).a I I (d).a | &{/,• : a;} iG / | © {/,• : a,-},- G/ 1 end | /it. a | t (1) 

where 8,6' , . . . range over value types bool, string, int, .... a, a',... are session types. The first four 
types are associated with the various communication operations. J, (6).a and f (6). a are the input and 
output types respectively. Similarly, &{/,• : a,}, e / is the branching type while ©{/,• : a;}; e / is the selection 
type. The type end indicates session termination and is often omitted, /it. a indicates a recursive type 
with t as a type variable, /it. a binds the free occurrences of t in a. We take an equi-recursive view on 
types, not distinguishing between /it. a and its unfolding a [/it. tt/t]. 

A typing judgment has the form T h ^ : A, where T, A are service type and session type environments, 
respectively. Typically, Y contains a set of type assignments of the form a@A : a, which says that a 
service a located at participant A may be invoked and run a session according to type a. A contains 
type assignments of the form &[A,fi] : a which says that a session channel k identifies a session between 
participants A and B and has session type a when seen from the viewpoint of A. The typing rules are 
omitted, and we refer to [6] for the full account of the type discipline noting that the observations made 



in Remark 2.2 will require extra typing rules. 



Returning to the specification (OB 1 in Example 2.4 the service type of the airline company AC at 
channel ob can be described as: 



ob@AC : (kijki) k\ J,booking(string). k 2 tx(string). k 2 |offer(int). k\ ty(int). k\ |accept(int). end. 
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(j),X ■■= 3?. (f-exists) I ::= init A — > B on a(k) (1-init) 

| Ax (f-and) | com A — > B over k (1-com) 

| -i0 (f-neg) | sel A — > B over k : I (1-branch) 

| (£)<j> (f-action) 

| end (f-termination) 

| ei@A = e2@B (f-equality) 

| | X (f-parallel) 

I 00 (f-may) 

Table 2: 5££f : Syntax of formulae 



Assumption 2.5. In the sequel, we only consider choreographies that satisfy the typing discipline. 



3 : A Logic for the Global Calculus 

In this section, we introduce a logic for choreographies, inspired by the modal logic for session types 
presented in (T). The logical language comprises assertions for equality and value/name passing. 



3.1 Syntax 



The grammar of assertions is given in Table[2] Choreography assertions (ranged over by <j>,(j>',Xi • • •) 
give a logical interpretation of the global calculus introduced in the previous section. The logic includes 
the standard First Order Logic (FOL) operators A, -i, and 3. In 3t. 0, the variable t is meant to range over 
service and session channels, participants, labels for branching and basic placeholders for expressions. 
Accordingly, it works as a binder in 0. In addition to the standard operators, the operator ( f-action I 
represents the execution of a labelled action I followed by the assertion 0. Those labels in I match 



the ones in the LTS of GC, i.e., they are ( 1-init I, (1-com), and (1-branchi. The formula ( f-termination I 



represents the process termination. We also include an unspecified, but decidable, ( f-equality ) operator 
on expressions as in [ 1 ]. ( |f-may ) denotes the standard eventually operators from Linear Temporal Logic 
(LTL) [9]. The spatial operator ( f-parallel I denotes composition of formulae: because of the unique 
nature of parallel composition in choreographies, we have used the symbol | (as in separation logic |[T8l 
and spatial logic [3 ]) in order to stress the fact that there is no interference between two choreographies 
running in parallel. 

Notation 3.1 (Existential quantification over action labels). In order to simplify the readability, we 
introduce the concept of existential quantification over action labels as a short-cut to mean the following: 

31 (00 = 3A,B,a,k. (init A B on a(k)). V 
3A,B,k. (com A — > B over k). V 
3A,B,k,l. (sel A — > B over k:l).<j). 



Remark 3.2 (Derived Operators). We can get the full account of the logic by deriving the standard set 
of strong modalities from the above presented operators. In particular, we can encode the constant true 
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(tt) and false (f f ), the next (o0) and the always operators (□</») from LTL. 

tt = (0@A = 0@A) ff d = (0@A = 1@A) (ei ^e 2 ) = f -(ei =£2) 

Vx. 0=^3x. -.0 0v^= f ^(^0A^) = f ^0 V£ 

□ d =l f -nO-,0 [i]0 d ^^(£)^ o0 ^ f 3£ . 

In the rest of this section, we illustrate the expressiveness of our logic through a sequence of sim- 
ple, yet illuminating examples, giving an intuition of how the modalities introduced plus the existential 
operator 3 allow to express properties of choreographies. 

Example 3.3 (Availability, Service Usage and Coupling). The logic above allows to express that, given 
a service invoker (known as A in this setting) requesting the service a, there exists another participant 
(called B in the example) providing a with A invoking it. This can be formulated in ££5f as follows: 

3B. (init A — )• B on a(k))tt . 

Assume now, that we want to ensure that services available are actually used. We can use the dual 
property for availability, i.e., for a service provider B offering a, there exists someone invoking a: 

3A. (init A ->• B on a(k))tt . 

Verifying that there is a service pairing two different participants in a choreography can be done by exis- 
tentially quantifying over the shared channels used in an initiation action. A formula in ?£5f representing 
this can be the following one: 

3a. (init A — > B on a(k))tt . 

Example 3.4 (Causality Analysis). The modal operators of the logic can be used to perform studies of 
the causal properties that our specified choreography can fulfil. For instance, we can specify that given an 
expression e evaluated to true at participant A, there is an eventual firing of a choreography that satisfies 
property 0i, whilst fa will never be satisfied. Such a property can be specified as follows: 

(e@A = tt) AOOl) AD-ifo- 

An interesting aspect of our logic is that it allows for the declaration of partial specification properties 
regarding the interaction of the participants involved in a choreography. Take for instance the interaction 
diagram in Figure [T] The participant A invokes service b at B's and then B invokes D's service d. At this 
point, D can send the content of variable x to A in two different ways: either by using those originally 
established sessions or by invoking a new service at A's. However, at the end of both computation paths, 
variable z (located at A's) will contain the value of x. In the global calculus, this two optional behaviour 
can be modelled as follows: 

Ci =A^B:b{k). B^D:d{k'). D^B : k'(x,y B ). B^A : k(y B ,z). (Option 1) 

C 2 =A->B:b{k). B->D:d(k'). D->A:a(k"). D->A : k"(x,z) . 0. (Option 2) 

We argue that, under the point of view of A, both options are sufficiently good if, after an initial interaction 
with B is established, there is an eventual response that binds variable z. Such a property can be expressed 
by the 5££f formula: 

3X,k". (init A B on a(k))<>( (com X A over k")(z@A = x@D)\ . end. 
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Example 3.5 (Response Abstraction). 

3 [ 




Figure 1 : Diagram of a partial specification. 



Notice that both the choreographies ( |Option l i and ( |Option 2 i satisfy the partial specification above 



This will be clear in Section 3.2 where we introduce the semantics of logic. 

Also note that a third option for the protocol at hand is to use delegation (the ability of communicating 
session keys to third participants not involved during session initiation). However, the current version of 
the global calculus does not feature such an operation and we leave it as future work. 

Example 3.6 (Connectedness). The work in [5 ] proposes a set of criteria for guaranteeing a safe end- 
point projection between global and local specifications (note that the choreography in the previous 
example does not respect such properties). Essentially, a valid global specification has to fulfil three 
different criteria, namely Connectedness, Well-threadedness and Coherence. It is interesting to see that 
some of these criteria relate to global and local causality relations between the interactions in a choreog- 
raphy, and can be easily formalised as properties in the choreography logic presented here. Below, we 
consider the notion of connectedness and leave the other cases as future work. Connectedness dictates a 
global causality principle among interactions: any two consecutive interactions . . .A — > B. C — > D. . . in 
a choreography are such that B = C. In the following, let lnteract(A,5)0 be true whenever (£)<$> holds 
for some I with an interaction from A to B. Connectedness can be specified as: 



VA,B. □ (lnteract(A,fi)tt =>• 3C. (lnteract(A,fi)lnteract(fi,C)tt V lnteract(A,5)-.3^)tt 



3.2 Semantics 

We now give a formal meaning to the assertions introduced above with respect to the semantics of the 
global calculus introduced in the previous section. In particular, we introduce the notion of satisfaction. 
We write 'rf \= a (f) whenever a state a and a choreography ^* satisfy a formula 0. The relation \= a 
is defined by the rules given in Table [3] In the 3t. <j> case, w should be an appropriate value according to 
the type of t, e.g., a participant if t is a participant placeholder. 

Definition 3.7 (Satisfiability, Validity and Logical Equivalence). 
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^ = 

c{e\@A) ij- v and a(<?2@#) 4 v 

(ctX) — > and \= & <p 

<T K and <*? \= a x 

\=a <P[w/t] (for some appropriate w) 

(a, If) >* (c'X) and <T |= ff , 

«Jf = «jfi | ^2 such that <*fi |= ff and <<f 2 \= a % 

Table 3: Assertions of the Choreography Logic 

• A formula is satisnable if there exists some configuration under which it is true, that is, ^ \= a 
for some o). 

• A formula is valid if it is true in every configuration, that is, \= a § for every (a,^). 

• A formula % is a logical consequence of a formula (j> (or (j> logically implies %), denote with an 
abuse of notation as |= %, if every configuration (o,^) that makes (j) true also makes % true. 

• We say that a formula <p is logical equivalent to a formula %, written =u %, if § |= % iff % |= 0- 



4 Undecidability of Global Logic 

In this section we focus on the undecidability of the global logic for the global calculus with recursion 
given in Section|2] In order to prove that the global logic is undecidable, we use a reduction from the Post 
Correspondence Problem (PCP) [17] similarly to the one proposed in [0. The idea is to encode in the 
global calculus a "program" which simulates the construction of PCP We first give a formal definition 
of the PCP In the sequel, • denotes word concatenation. 

Definition 4.1 (PCP). Let s,t,... range over £* where £ = {0, 1} and let s be the empty word. An 
instance of PCP is a set of pairs of words { {s\,t\ ),..., (s n ,t n )} over Z* x £*. The Post Correspondence 
Problem is to find a sequence z'o, h > ■ • ■ } h ( 1 — ij — nfor all < j < k) such that s, ■ . . . ■ Sj k = ?,„-...• t\ k . 

Intuitively, PCP consists of finding some string in £* which can be obtained by the concatenation st ■ . . . ■ 
Sj k as well as by £,„•...■ t{ k . Such a problem has been proved to be undecidable ifTTl . Our goal is to find a 
GC term that takes a random pair of words from an instance of PCP and append them to an "incremental 
pair" of words which encodes the current state of the sequences and f, • . . . • tj k . Technically, 

we need a choreography that assigns randomly a natural number in {1, . . . ,n} to a variable r in some 
participant B, and another choreography that picks a pair of words from the PCP instance, accordingly 
to value in the variable r@B, and then appends them to the "incremental pair" of words in A. Formally, 

Definition 4.2 (Encoding of PCP). Let Ai, . . . ,A n ,A,B be participants and a,b shared names for ses- 





\=a end 




Ha (ei@A 




\=a (D<t> 

\ ° \ IT 












Ha 3f- 




Ha 00 




Ha | X 



def 



e 2 @B) 
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sions, then define the two choreographies as shown below: 

flX. A Y ^B:a(k). Ai-hB : k{l,r). X 
| iiX.A 2 -+B:a(k).A z ->B:k(2,r).X 

| ilX. A n ^B:a(k). A„— >fi : k(n,r). X 

ilX. A^B:b(k). A^B : k{strl,tmpl) . A^B : k(str2,tmp2). 
if r@B = 1 then 

fi-^A : k(tmp\-si,strl). B^A : k(tmp2-t\,str2). X 
else if r@B = 2 then 

5->A : k{tmpl-s 2 ,strl). B^A : k(tmp2-t 2 ,str2). X 
else if r@B = 3 then 

else if r@B = n then 

B— >A : k(tmpl -s n ,strl). fi— kA : k(tmp2-t n ,str2). X 
elseX 

Wfe define the initial configuration (o,^) to be formed by the choreography and the state below: 

def 

& = Random(Ai,...,A„,B,a) \ Append(A,B,b) 

a d = [strl @A 1 y e, str2@A t—^ e, tmp\@B t—^ e, tmp2@B e, r@B ^ 1] . 
For encoding the PCP existence question (sj ■ . . . ■ Si k = tj Q ■ . . . ■ tQ we can encode it as a formula: 

$ < M<)((str\@A = str2@A) A {str\@A ^ e) A (str2@A ^ efj . 

Above, each participant A, (with i G { 1 , . . . , «}) recursively opens a session with participant B and writes 
in the variable r@B the value i. Moreover, the participant B stores the knowledge of all the word pairs 
(si,ti), while the participant A takes randomly a word pair from B and then append it to his incremental 
pair of words: (strl,str2). Next, the formula <p states that there exists a computational path from the 
initial configuration to a configuration which stores in strl and str2 two equal non-empty strings. 

Theorem 4.3. The global logic is undecidable on the global calculus with recursion. 

Proof. (Sketch) The statement ^ \= a </> holds iff the encoded PCP has a solution. Indeed, if the initial 
configuration (d,^) satisfies the formula <p then it means there exists a configuration (a 1 where 
(strl @A = str2@A) A (strl @A 7^ e) A (str2@A / e) holds. Hence, there is a sequence of io, ...,ik such 
that strl = Sig ■ . . . ■ si k = ti ■ . . . ■ ti k = str2, that is, the instance of PCP has a solution. □ 

Remark 4.4. The undecidability result presented in this section shows that the global calculus is con- 
siderably expressive, despite the choreography approach offers a simplification in the specification of 
concurrent communicating systems as argued in 0. The encoding in Defrnition |4.2| shows that allowing 
state variables (hence local variables that can be accessed by various threads) increases the expressive 
power of the language. Indeed, we could just look at GC as a simple concurrent language with a "shared" 
store where assignment to variables is just in-session communication. In this view, we conjecture that 
removing variables and focusing only on communication would make the logic decidable. 



def 

Random(Ai,...,A n ,B,a) = 



A PP end(A,B,b) = 
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5 Proof System for Recursion-free Choreographies 

In this section, we present a model checking algorithm (in the form of a proof system) to decide whether a 
global logic formula is satisfied by a recursion- free configuration of the global calculus. Indeed, similarly 
to (HI, it turns out that the logic is decidable on the recursion-free choreographies^] We also prove the 
soundness and completeness of the proposed proof system w.r.t. the assertion semantics. 

In order to reason about judgments ^ \= a 0, we propose a proof (or inference) system for asser- 
tions of the form ^ \- a (p. Intuitively, we want 'tf \- a <p to be as approximate as possible to ^ \= a <p 
(ideally, they should be equivalent). We write <?f \- a </> for the provability judgement where (cr,^ ) is a 
configuration and </> is a formula. 

Notation 5.1. We define the set of continuations configuration after an action I and the reachable con- 
figurations, both starting from a configuration (a,^), as follows: 

Next(a,tf,£) = {(cr'X) | (ct,#) — % (a'X )} 
Reachable(c7,<*f) = {(o',tf') | (o,tf) >* (a'X)}- 

Normalisation is required by the proof system to infer equality of choreographies up to structural equi- 
valence (Especially for the [•] | [•] operator). We define Norm( < ^ 7 ) to be a normalisation function from 
recursion-free choreographies into multi-sets of choreographies: 

Hpf Hpf 

Norm(A— KB : k{e,y). V) = [A^B : k{e,y). <*f] Norm(A^B:£[/,- : = [A-±B:k[h : 

Norm(A— kB:«(&). = \A->B:a(k). tf] Norm(if e@A then ^ else <af 2 ) = [if <?@A then % else V 2 ] 

Nnrmm *f[l Mnrm to |<^ d -S. f r P P n o] if Normal ) = [Pi,...,P„] and 
Norm(0)-[] Norm(^ | V 2 ) - [P h . . . ,P n ,Q u . . . ,Q m ] if = ^ ^ 

Lemma 5.2 (Normalisation preserves structural equivalence). Le? ^ be a recursion-free choreogra- 
phy and Norm{^) = [P u . . . ,P n ], then = U"=i Pi- 
Proof. By induction on the structure of the choreography c tf. 
Case = 0: We have Norm(0) = [ ], and nti P = = 0. 

Case c £ = c €\\ We have that Norm ffi) = [P h . . . , P n ], Norm (^ 2 ) = [Qi , ■ ■ ■ , Qm] , and ULi Pi = ^u 
YlJ=i Qj = ^2 by induction hypothesis. Then, we can derive that n"=i p i I WjU Qj = ^ I ^2- 

All the other cases: Trivially we have that Norm(^) = [Pi], where Pi = c € , then n/=i P< = ^ ■ □ 

Definition 5.3 (Entailment). We say that a choreography entails a formula under a state o, written 
^ 0, iff the assertion \- a (j) has a proof in the proof system given in Table^ 

Let us now describe some of the inference rules of the proof system. The rule P en d relates the 
inaction terms with the termination formula. The rules P anc j and P neg denote rules for conjunction and 
negation in classical logic, respectively. The rule for parallel composition is represented in P par ; it does 
not indicate the behaviour of a given choreography, but hints information about the structure of the 
process: P par juxtaposes the behaviour of two processes and combines their respective formulae by the 
use of a separation operator. The next rule, Paction requires that the process P in the configuration a can 



Removing recursion yields a decidability result orthogonal to the conjecture formulated in Remark 4.4 
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Norm(if) = [] ifh g V^oX p V\f a $ 

'end r/1 i " anc | r ^ ( x . *neg 



par 



ifho-end dMU ifho-0A£ s ifho--0 

Norm (if) = [Pi,... ,P n ] 3I,J.IUJ = { 1 , . . . ,n} A/H7 = AfTe/fl 01 ATIjgjP/ h g 2 

'Ky 01 | <fc 

3(g',if') € Next((7,if ,1). if' hy 3(a',^') G Reachable(a,if ). if' h ff , 

action ^h ff p)0 Pmay if h ff ^0 

3w € /n(if) U/n(0). if h g ft[w/f] a(ei@A)J|v g(e 2 @g)-l|v 

3 Sfr- ff 3f. exp ^h ff (e 1 @A = e 2 @B) 

Table 4: Proof system for the Global Calculus. 

perform an action labelled I, so we must search for a continuations of (a, if ) after an action £ and find a 
configuration which satisfies the rest of the formula, i.e., 0. Analogously, P may looks for a continuation 
in the reachable configuration of (cr,if ) in oder to satisfy 0. The rule P3 says that in order to satisfy an 
3t. 0, it is sufficient to find a value w for t in the free names used by the choreography if or in the free 
names used by the formula 0. Finally, the rule P exp denotes evaluation of expressions. 

We now proceed to prove the soundness of the proof system with respect to the semantics of asser- 
tions presented before. 

Lemma 5.4 (Structural congruence preserves satisfability). If if = c €' and ^ \= a 0, then if' \= G 0. 

Proof. (Sketch) It follows from structural induction over . □ 

Theorem 5.5 (Soundness). For any configuration (a, If), where '0? is recursion-free, and every formula 
0, i/if I fj then \= a 0. 

Proof. It follows by induction on the derivation of h CT . 



Case P en d : Straight consequence of Lemmas 5.2 and 5.4 indeed if = and \= a end. 
Case P an d: By induction hypothesis and conjunction. 

Case Pneg: We have that if h CT -i0, so by P neg we get if \f a 0. By induction hypothesis we have that 
if y= c 0, which is the necessary condition to deduce if \= a -><j). 

Case P par : We have that h CT 0i | 02, then Norm (if ) = [Pi, . . . ,P„], and there exist I, J such that IUJ = 
{!,... ,«}, ID J = 0, YlieiPi l~ff 01 > and YljejPj 02- By induction hypothesis we know that 



n,e/P/ \=a 01 and YljejPj No- 02> then by Lemma 5.2 we have if = YlieiPi I TljejPj< hence it is 
immediate to prove that if \= a 0i | 02- 

Case Paction: We have that if h CT (£)0 and by P action then if' \- a , and (cr',if') G Next(<7,if ,£). From 

the induction hypothesis we have that if' |= ff / 0, then we have to show that ^ 1=^)^(0. From the 

e 

assertion semantics we know that C \= a (£}<p iff (a, if') > ((7 , if ) and if |= CT / 0, which holds 

immediately by the selection of (a', if') G Next(a,if ,^) and the induction hypothesis. 

Case P may : We have that if ho- 00 and by P may then if' \- a < and (a', if') G Reachable(a,if ). From 
the induction hypothesis we have that if' \= a > 0, then we have to show that if \= a 00- From the 

assertion semantics we know that C \= a 00 < *=^ (offi) ► i^') and if' |= ff / 0, which 

holds immediately by the selection of (a', if') G Reachable(a,if ) and the induction hypothesis. 
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Case P 3 : We have that h CT 3t.<f) and by P 3 we have that 3w G /n(^) U /n(0) and h a <j>[w/t]. 
By induction hypothesis we know that C \= a <j>[w/t] with appropriate w G fnffi) Ufn((j>), then 
^ |=fj El?.0 follows from the definition of the assertion semantics. 

Case P exp : It holds trivially by checking if a(ei @A) JJ. v and a(<?2@#) JJ- v. □ 

Lemma 5.6. For every configuration (o,^), where ^ is recursion free, and every formula 3t. 0, if 
{n\ , . . . ,71%} = fn{ c 4>) U/n(0), then ( € \= a 3?. //f3ra G {^i, . . . ,n*} rac/z ?/2a? ^ (= CT 0[m//]. 

Proof. (Sketch) By induction on the structure of 0. It is similar to the proof of EJ Lemma 5.3(3)]. □ 

Theorem 5.7 (Completeness). For any configuration [p^€\ where ^ is recursion-free, and every for- 
mula 0, iftf \= a then h a 0. 

Proof. By rule induction on the derivation of \= a . 



Case \= a end: We have that ^ = and hence Norm( < ^ 7 ) = [ ] by Lemma 5.2 Now, the thesis follows 
immediately from the application of P en d- 

Case \= a (e\ @A = e2@B): It follows immediately by the application of P exp - 

i 

Case ^ \= a (£)<(>''• Take (<J,^) > (a ,w) and w \= a i <j)', we have by induction hypothesis that 

e 

<€' \- a i 0'. Now, we have to show that \- a (£)0'. By the fact that (a,^) > we have 

that {& \ c fo') G Next(<7,^,^), hence, we can apply rule Paction and we are done. 

Case ^ (= ff f\%: We have that ^ \= a and ^ \= a %. From the induction hypothesis we have that 
c € h ff and *rf h CT The application of P anc | lead to ^ h CT as desired. 

Case ^ |=f7 From the definition of the assertion semantics we have that ^ |= CT -i0 iff ^ ^= CT 0. We 
have to show that So \- a -i0. We proceed by contradiction. Take a (0,^) such that 'tf \- a 0, then 
from Theorem 5.5 we have that 9f \= a 0, which is a contradiction to ?f \= a ->(j>. 

Case "jf (= ff 3f. 0: We have that ^ |= CT 3?.0 and by the definition in the assertion semantics we have 
that 9f \= a <j)[w/t] for an appropriate w. By induction hypothesis we know that 9f h CT 0[w/?]. 
Lemma 5.6 guarantees that there exists w G fn(9f) Ufn(<j>) in order to derive 9f h CT 3?.0 from Pg. 

Case 9f \= a 00: Take (<T,9?) *>* (o',9f' ) and "g* |= CT / 0', we have by induction hypothesis that 

h CT / 0'. Now, we have to show that h CT 00'- By the fact that (<r,^) ►* (a',^"), we 

have that (c',^') G Reachable(a,^), hence, we can apply rule P may and we are done. 

Case \= a | X'- We have that = \ and *rfi \= a A ^2 |=ct X- From the induction hypothesis 
"jfi h CT and ^2 I — <r Now by Lemma 5.2 we have that ^\ = Yiiei^i an ^ = rTye/^j f° r some 
7,7. So, we can derive ^ = rT/e/^i' I Flye/^/' an( ^ nence Ppar leads to ^\ \ ^2 I~<t | X- ^ 

Theorem 5.8 (Termination). For any configuration (a,^), where c € is recursion-free, and every for- 
mula 0, proof-checking algorithm terminates. 

Proof. First, notice that all the functions Norm, Next, and Reachable are total and computable. The 
proof is by induction over the structure of . 

Case = end: h CT end iff Norm(^) = [ ]. 

Case = 0i A 02: By conjunction and induction hypothesis on ^ h ff 0i and ^ h CT 02. 
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Case = \- a $ iff \- a does not hold. But by induction hypothesis we can construct a 

terminating proof or confutation for'tfha 0'. Hence the proof for ^€ \- a terminates as well. 

Case </» = 0i | 02^ Suppose Norm^) = [Pi,... ,P„]. Notice that there exists a finite number of possible 
partitioning of {1, ...,«} in I, J. Hence, for every I, J we can compute rLe/P l~a 01 an d ri/e/P/ ^ct 
02, which both terminate by induction hypothesis. By applying Lemma 5.2 we prove the thesis. 

Case = (^)0': First, notice that the set Next(a, < ^,£) is finite, because the choreographies are finite, 
i.e., there are a finite number of actionable transition in a given configuration. For each configura- 
tion (a 1 \ c ra') E Next((7,'^,^), & h CT / 0' terminates by induction hypothesis. 

Case = 00': As before, notice that the set Reachable(a,^) is finite, because the choreographies are 
finite, i.e., the choreographies are recursion free. For each configuration (o 7 ,^' ) G Reachable((7,^), 
c &' I~ct' 0' terminates by induction hypothesis. 

Case = 3t. 0': To prove existence is sufficient to check every derivation by substituting t with a name 
w G fn^€) U/n(0). Notice that fn(^€) U fn(<p) is finite, because both "rf and are so. So, for 
every w, we can construct a terminating derivation for ^ h CT 0'[w/f] by induction hypothesis. 

Case0 = {e 1 @A = e@@B) : "^f \- a (ei @A = e@ @B) iff ei @A JJ. v and e@ @B JJ. v. □ 



6 Conclusion and Related Work 

The ideas hereby presented constitutes just the first step towards a verification framework for choreogra- 
phy. As a future work, our main concerns relate to integrate our framework into other end-point models 
and logical frameworks for the specification of sessions. In particular, our next step will focus on relat- 
ing the logic to the end-point projection Q, the process of automatically generating end-point code from 
choreography. Other improvements to the system proposed include the use of fixed points, essential for 
describing state-changing loops, and auxiliary axioms describing structural properties of a choreography. 

This work can be fruitfully nourished by related work in types and logics for session-based commu- 
nication. In lfT3l the authors proposed a mapping between the calculus of structured communications 
and concurrent constraint programming, allowing them to establish a logical view of session-based com- 
munication and formulae in First-Order Temporal Logic. In HI, Berger et al. presented proof systems 
characterising May/Must testing pre-orders and bisimilarities over typed 7r-calculus processes. The con- 
nection between types and logics in such system comes in handy to restrict the shape of the processes 
one might be interested, allowing us to consider such work as a suitable proof system for the calculus 
of end points. Finally, [15] studies a logic for choreographies in a model without services and sessions 
while [2] proposes notion of global assertion for enriching multiparty session types with simple formula 
describing changing in the state of a session. 
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